The URL can be used to link to this page

RES 2013-1109 - PO from Continuum Security Solutions for DotComm cyber security end user awareness training program pMAHA.Np �';. i t4 y f �49s v zY � Office of the Mayor .,.... ., f � ,, ' ' ^• ' 1819 Famam Street,Suite 300 n7mt ',� Omaha,Nebraska 68183-0300 �e ti" (402)444-5000 o �� 4TED FEDW�) C I'`! -',, • 14kX: (402)444-6059 City of Omaha Jean Stothert,Mayor Honorable President and Members of the City Council, Transmitted herewith is Resolution authorizing the purchase of and payment for professional services related to the Douglas-Omaha Technology Commission (DotComm) Cyber Security End User Awareness Training Program in the amount of$35,200.00. The End User Awareness Program is part of the DotComm's ongoing efforts to secure the City and County information networks through both network resiliency and end user awareness training. Continuum Security Solutions is the sole vendor of the professional services required for the establishment of the DotComm Cyber Security End User Awareness Training Program aimed at raising City/County Cyber Security end user awareness. In accordance with the provisions of Section 5.16, Home Rule Charter, in the event of a sole source vendor, the City Council may, by resolution, authorize the Purchasing Division to issue a purchase order for the services. The Cyber Security End User Awareness Program training is budgeted and will be funded up to $35,200.00 by the Nebraska Emergency Management Agency (NEMA) FY 2010 Urban Area Security Initiative, Award #2010-SS-T8-0013, approved by City Council on September 13, 2011, Ordinance No. 39112, Fund 12151, Organization 130762. Respectfully submitted, Approved as to Funding: . _ TLAA.__,___) cz,/ -7 , ,-) G.,-. , .L,_ f- `-'i Jean Stothert Date Al Herink Date Mayor Interim Finance Director Approved: I :-Li)r 1, 1 flz. il li) H an Rights and Relations Date P:\MYR\0060PR CONTINUUMA MUTUAL Of OMAHA COMPANY � SECURITY SOLUTIONS ' aE& IH4 EB �R 3 3SI 9 1 SY$a If':+& 3.F3 H4 9&1 dl aaaa€s to - d E:fr`� .r €,€ !_ �r€f3, ,�lir i i :/4':,.4 I' �a �i '�ed�if 'stout DOT.COMM March 2013 Submitted by: Bret Brasfield Business Developer, Security Solutions Chris Hoke CISSP, CISA, PCI QSA Director, Security Solutions 3333 Farnam Street, Suite 1 Omaha, Nebraska 68131 800 780 0298 cwc-security.com A MUTUAL Of OMAHA COMPANY 0.NTINUUM SECURITY SOLUTIONSI'' ........................................ g fit. ' a� ... ................................... .................._........._._._..._.._ ...£........._.........._._._._._._.... ?.6 ' Irana ackga .. vI d 41 rIt.¢ xa}.ai w�.e'i� fix.n�nr.x xxe� rsras� n r,«..x,..-eaw o-n srr aa,szvo-.e�rr+..e e.+. zza rraa xnczaamr,x xn.e,r re o-x=r._ 3 Caantinuurn Saa ur' y S€tutioI°L ,..xn...n,ro,,,tinn,., ...,,,x...en e...xx., ..,xrn,,.._,xn.,,..,...n,,,,.,,,,. x,.,o 4, Corporate Profile 4 i..',v -rf €; r ,., Description of Service 5 A ar o kx[rtt $J:a5�� ,1� s I'i, ,.s ,_..®r.,,, <.. ,. ,r..„,,e.<,,e x,.,3n„ ,,.,.,,,.aa� fl,.. .<<s.hxx.x.re>ax,=...r ..,« ,..,,_arsn_.,,, x ncl Continuum Security Solutions Responsibilities 9 DOT.COMM Responsibilities 9 At.'dt. . .,,,x,t nr...,,...xa....,, ,xe ,,.,_r•..x Cost of Services 10 Project Change Control 10 r °a ,,,,n,,,,n....r4.®,,.n.,,r 4.,,,,. . xa...x,,.,., .,xr.x, 11 3333 Farnam Street, Suite 1 Omaha, Nebraska 68131 800.780.0298 cwc-security.com E,...4 ev3 3vs e `ksr.at ;.�ssefi��' $,"ta,e� €��`d t u...e@t� $i sIp¢x� exw de...ga �4.. €si �wa� yrs a«a:+s"ka e�w L.,...r}.crsI:n 4d ..rrs. DOT.COMM, in conjunction with Sarpy County, is asking for a comprehensive information security policy and procedure review. The goal of this review is to assess the current state of the DOT.COMM information security program. This project will utilize a three-phase implementation. In the first phase, Continuum Security Solutions will conduct an information security policy and procedure review. In the second phase, Continuum Security Solutions will create end-user awareness training modules to support cyber security protocol within the counties.The training modules will focus on DOT.COMM's information security policy, cyber security, and general information technology best practices. They will be designed to support new and existing policies for current county employees, as well as all new hires. In the third phase, Continuum Security Solutions will expand the training to include modules for individuals with access to confidential data and/or elevated access rights. Enterprise devices and remote connectivity(i.e., county-owned devices, personal devices, and third party devices)will also be covered in this training expansion. Qa. g.a jLJA„ . ° I U M F . � 1 � „ ::C ` E1 .f 'E . .J 1 � Corporate Profile Continuum Security Solutions is a leading independent provider of information security solutions, engaged in all phases of compliance, assessments, governance, and incident response.With expertise developed through decades of real- world experience, our consultants take a holistic approach to clients' risk.We help clients recognize threats, evaluate potential impacts and create individually tailored programs that transform their ability to manage exposure to future detrimental activities. We do this by focusing on the following solutions: PCI Compliance 0 We provide payment card industry compliance services to organizations that store, process, and/or transmit payment card data. Our services provide organizations the tools they need to efficiently manage payment card data risks and drive on-going compliance. Assessments mom We provide a comprehensive suite of services for the assessment and identification of vulnerabilities within your applications, networks, and infrastructure. If you simply need to fulfill your compliance requirements, �� or if you would like to test your network security against a full scope attack that simulates being targeted by a malicious party, we have the expertise to meet your needs. Governance Continuum uses a business-centric approach to identify your processes and document security I ` requirements. Long term sustainability of information security risk mitigation efforts are closely aligned with how they fit into an organization's strategic plan. We offer strategic planning and consultation to ensure an organization's best development and implementation of their information security programs. Incident Response Continuum provides incident response services to help businesses collect, preserve, analyze and produce c information about digital media in a thorough, efficient, and cost-effective manner. Our forensic and data experts collect, preserve, analyze, and produce information in a confidential, tightly controlled, and secure environment/procedure that allows for proper preservation of electronic evidence(e-Evidence). We also have experience testifying in Federal Court. Description of Service To help establish and define components of an information security awareness program to be utilized by DOT.COMM and Sarpy County, Continuum Security Solutions will provide the following: • A project plan for the development of information security awareness training which includes: o Policy and procedure discovery review. • A documented framework based on industry practices relative to DOT.COMM. The documented framework will include: o Information security program training. o Identification of key control objectives derived from NIST and SANS security frameworks. • A Roadmap of initiatives to implement and monitor controls relative to requirements set forth by UASI grant funding. • Review of program initiatives determined by DOT.COMM and Continuum Security Solutions. The following table identifies additional elements that are included and excluded from the scope of the proposed engagement: Assessment of the DOT.COMM information X Assessment is based on security program to include: defined frameworks • Policies& procedures NIST/SANS • Technical documentation Locations include Douglas and Sarpy Counties • Interviews with key personnel Provide prioritized recommendations and activities X based on assessment finding Provide detailed project plan X Project plan Provide regular engagement updates X Weekly project updates at a minimum Transfer of knowledge related to assessment X Assessment interviews, project updates Document review for NIST security framework& X Policies and procedures SANS best practices Internal report and sanitized summary for county X officials that will not reveal any vulnerabilities to the public per security protocol. System and network configuration review and X remediation Phase 1 Deliverable(Policy Procedure Review)7-10 business days: Continuum will assess policy and procedures as it relates to information security protocol for Douglas and Sarpy County. The core purpose of this deliverable is to ascertain the current state of the environment against the expected standard. Continuum will issue a report on the gap assessment for each county, based on the current state. This report will act as a policy and course development road map for the county. Continuum will not assist the counties with policy mitigation as it is outside the scope of work, but we will use the report results for subsequent training development. It is essential that these policies be complete and up-to-date in order to align with the corresponding security framework. Phase 2 Deliverable(Course Development)5-7 days: Continuum will develop courses that Douglas and Sarpy County will use to align staff within the information security framework and best practice protocol.All courses will be scripted and outlined for county approval prior to production. All course content will be standalone; they will be able to be taken on their own without prior or subsequent courses. The courses listed below are representative samples of possible courses to be developed, however all content is subject to change based on the specifics of the security framework. • Passwords • Citizen & Employee Confidentiality • Information Security • Bring Your Own Device (BYOD) • Social Media • Cyber-Security Phase 3 Deliverable(Specialty Course Development)2-3 days: Confidential and elevated access rights training will expand on the current training suite to include modules for individuals with access to confidential data and/or elevated access rights. Enterprise devices and remote connectivity (i.e., county-owned devices, personal devices, and third party devices)will also be covered in this training expansion. Timelines: The entire project will take approximately 30-45 days. A better part of the work will take approximately 20 days, however Continuum builds in time for the county teams to acquire required documentation. The extra time built in allows for review of content by county teams after Continuum has completed the assessments and training content. I l3Eg �,x) t x�x+"� '¢u>e�#e:.0 x �.'M9 39" aeueaT u ( D 'a �*aa T In order to conduct this project, Continuum Security Solutions will utilize the following methods for Information Gathering and Analysis. These methods will ensure Continuum Security Solutions provides DOT.COMM with deliverables that are well-thought out and precise to meet the objectives and requirements of the project. Assessment Methodology Quality urance Project Planning The project planning phase of the Project lnforanatit n f Planning Gathering; Analysts 41 Validation assessment methodology allows Continuum Security Solutions to identify with the client to determine the final scope of the assessment. A key aspect of the project planning phase is the definition of critical success factors and reaffirmation of business Retticdiaticrn 1s` Re Porting objectives of the client. In addition, an assessment work plan will be finalized by Continuum Security Solutions and the client. Elements of the project planning phase include: • Agreement on overall scope of the assessment • Identification of resources that will be assigned to the project • Communication plan for the duration of the project • Project timeline and milestones Information Gathering Information gathering is a key phase in the assessment methodology. This phase consists of methods to gain information regarding the business processes and supporting technology within the scope of the project. Elements of the information gathering phase include: • Documentation request(policies, procedures, and other relevant documentation) • Client questionnaires • Fact-to-face interviews w/business process owners and support personnel • On-site visit and walkthroughs • Control testing (demonstrations, reports, scripts) • Document information that potentially impacts the controls of the business processes Analysis The analysis phase of the assessment methodology involves the use of the information gathered in the assessment. The review of the information and baseline to a selected control framework is performed and documented. Elements of the analysis phase include: • Documentation review • Questionnaire review • Baseline information gathered to control framework • Identify possible gaps • Document controls • Formulate remediation recommendations Validation A key component to an assessment methodology is the validation of information gathered and controls reviewed. Validations to ensure implemented controls are valid and risk ratings are appropriate provide the client with an accurate assessment of their business processes and control environment. Elements of the analysis phase include: • Follow-up interviews and testing if necessary on specific control elements • Walkthrough with client of the initial assessment • Narratives and process flows when applicable Reporting The reporting phase is a comprehensive overview of the work performed during the project. The report will address the scope of the project, assessment methodology and comments, associated findings and communication to allow for remediation. Elements of the reporting phase include: • Review of report with project stakeholders • Narrative of control environment • Findings and remediation • Associated work papers and documentation Remediation Remediation provides the ability for areas in which deficiencies are identified in relation to the selected control framework to be mitigated and addressed by the client. Elements of the remediation phase include: • Define action plans and timelines for remediation • Communicate initiatives for remediation with stakeholders • Execute initiatives for remediation Quality Assurance In order to provide the highest quality of work on each project, a series of reviews by experienced consultants and managing consultants of work activities and client deliverables are conducted before they are delivered to the client for review. In order for the proposed engagement to be successful, roles and responsibilities for both DOT.COMM and Continuum Security Solutions are defined. Continuum Security Solutions Responsibilities • Execution of the tasks identified for this project • Day-to-day project management for the scope provided within this statement of work, including tracking and resolution of project related issues, progress tracking and communication • Assignment of a Managing Consultant to be the primary point of contact for all project management related issues • Periodic project status reports and meetings as determined by DOT.COMM to keep all project stakeholders informed at all times • Expertise and leadership in the information security program assessment, to include a thorough understanding of industry frameworks DOT.COMM Responsibilities • Provide a project sponsor, a point of contact, and appropriate access to knowledgeable key resources in information security, human resources, business units, and other resources as needed • Designate a single point of contact to be responsible for all final decisions related to this proposal • Provide any documentation and supporting information relevant to the success of the assessment • Provide physical workspace for any work that requires on-site visits longer than one(1)business day Yt,..a t A b h11 11 u.f 133ana9 :e¢P` E L„r.. ar�au.. The cost associated with this policy/procedure review is based on a fixed price and can be found on the schedule below. The estimates set forth in this proposal are based on best effort to understand the needs of the client. If during the process of conducting the engagement, the assessment team identifies and confirms through the project sponsor a finding and/or issue that can affect the estimates in this proposal, the assessment team will adjust estimates accordingly. Cost of Services Service-related activity will be billed according to the month in which the service was completed. Continuum Security Solutions will provide services for the price(s)as identified in the tables below: Policy Review/Cyber Security Awareness Training $35,200-Baseline Assessment • Policy and Procedure Review Against Framework(s) EndAdditional consulting outside of the • User Awareness Training Modules scope of this engagement will be done • Specialized Training Modules for through a separate statement of work. Confidential Data Security It should be noted that the fees quoted above exclude out of pocket costs, including travel, which will be billed separately as actual costs are incurred. All work is being performed locally; therefore no additional out of pocket expenses should be incurred. Any work required out of area will have to be authorized and approved by DOT.COMM prior to the engagement. DOT.COMM will be billed monthly at a pro-rated rate based on the percent of the project that has been completed. The entire project will be billed no later than June 15th 2013 in order to accommodate processing time set forth by DOT.COMM. It is understood that some of the work may be performed after June 15th, however due to funding availability and processing time, the final bill will need to submitted on or near June 15th 2013. Sample Project Schedule: d i gym° { ......i...Nge Vulnertlilyllaaeaamerrl "Pre amnR nctrvq _ •� ^3 IccY.o11 4 Fnelze Wortpltn `S ooamer.aib�calrer� ;. ding '.e emapa AAI�Nlon Asseeeme.4 F. 9 Re Mew Rest/As 10 VNtlele FMm05 wlCYere ::... 11 1eA11q carolled S, - j2 Report OeeNapneN 10. D Rep MAW, 14 Revoew Dell Report wl Clem 19 RNnYze Report ,9 Sul 2Report 19 Menge r mrYNen 19 F 0e DI Metlnq 20. E•aaeaamer4 Cloave 21 Closure Metlrg ®1 22:. AssessmM Cpmpltletl ♦ Project Change Control Any change to the scope, deliverables, or milestones contained within this proposal shall be made only in writing by authorized representatives of Continuum Security Solutions and DOT.COMM. pTA T :t r .„,., N :,`E: 1. Acceptance DOT.COMM shall have the right to evaluate each deliverable. Within five business days of delivery, DOT.COMM shall give written notice of Continuum's acceptance or rejection of the deliverable. DOT.COMM failure to provide written notice within this time frame shall be deemed to constitute acceptance. 2. Terms and Billing This section describes the terms and billing of the SOW. 2.1. DOT.COMM agrees to pay the fees outlined in the SOW in United States Dollars (USD). 2.2. The Effective Date of this SOW is the date the second of the two parties signs this document, as outlined in the"Execution" section. 2.3. Continuum Security Solutions will bill applicable travel and expenses at actual cost to Continuum Security Solutions. Continuum Security Solutions will make every attempt to incur reasonable expenses associated with the implementation of this project. Continuum Security Solutions will communicate to DOT.COMM before travel is booked. 2.4. DOT.COMM will provide a purchase order(PO) number upon execution of this SOW: PO#: 2.4.1. DOT.COMM to send all POs, including Bill to and Ship to information for all orders to the billing and payment address identified below. Attention to: Company Name: Address: City: State: Zip: Phone: Fax: z .tea. .. ,,. I 1( �y These Standard Terms and Conditions govern the Engagement Letter (or Proposal or Statement of Work, all referred to as the "Proposal") attached hereto. These documents are collectively referred to, and comprise, the "Agreement" between DOT.COMM and CONTINUUM WORLDWIDE CORPORATION, DBA CONTINUUM SECURITY SOLUTIONS ("CONTINUUM"). By signing and accepting the Proposal, DOT.COMM accepts the following Standard Terms and Conditions: 1. Nature of Services: CONTINUUM will use commercially reasonable efforts to perform the services described in the Proposal. It is understood and agreed that services provided by CONTINUUM may include advice and recommendations, but all decisions in connection with the implementation of such advice and recommendations shall be the responsibility of, and will be made by, DOT.COMM. In connection with performing its services, CONTINUUM shall be entitled to rely on all representations of fact, decisions and approvals made by DOT.COMM. 2. Warranties: This is a services engagement. CONTINUUM warrants that it shall use commercially reasonable efforts to perform the services hereunder and that such services shall, in all material respects, conform to the specifications on the Proposal for a period of thirty (30) days after delivery or performance of the services. CONTINUUM DISCLAIMS ALL OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 3. Limitation of Liability: CONTINUUM'S LIABILITY, IF ANY, TO DOT.COMM FOR ANY LOSS, DAMAGE, CLAIM, LIABILITY, OR EXPENSES OF ANY KIND (INCLUDING WITHOUT LIMITATION LOSS OF BUSINESS TO DOT.COMM) CAUSED DIRECTLY OR INDIRECTLY BY THE PERFORMANCE OR NONPERFORMANCE OF OBLIGATIONS PURSUANT TO THIS AGREEMENT OR BY THE NEGLIGENCE, ACTIVE OR PASSIVE, OF CONTINUUM SHALL BE EXCLUSIVELY LIMITED TO AN AGGREGATE AMOUNT OF THE GENERAL MONEY DAMAGES IN A TOTAL AMOUNT NOT TO EXCEED THE AMOUNTS PAID TO CONTINUUM UNDER THIS AGREEMENT. UNDER NO CIRCUMSTANCES SHALL CONTINUUM BE LIABLE FOR SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES OR LOST PROFITS, DESPITE THE FACT THAT THE POSSIBILITY OF SUCH DAMAGES ARE OR MAY BE KNOWN TO CONTINUUM. 4. Allocation of Risk: DOT.COMM and CONTINUUM expressly acknowledge and agree that the limitations and exclusions contained in Sections 2, 3 and 5 have been the subject of active and complete negotiation between the parties and represent the parties' agreement as the allocation of risk between the parties based on the level of risk to CONTINUUM and DOT.COMM associated with their respective obligations under this Agreement. The fees payable to CONTINUUM in connection herewith reflect this allocation of risk and the exclusion of consequential damages in this Agreement. The parties acknowledge that but for the limitations in Sections 2, 3 and 5 the parties would not have entered into this Agreement. 5. DOT.COMM Acknowledgements and Representations (Not applicable to electronic and paper discovery and support services): 5.1. DOT.COMM Understandings. DOT.COMM agrees and understands that: (a) CONTINUUM does not guarantee that the services will detect or remediate all security weaknesses, potential security problems or potential breaches; (b) certain types of services may cause equipment, software or communications failures or otherwise interrupt or disrupt network services; and (c) DOT.COMM is responsible for performing adequate backups and disaster preparedness prior to the performance of any services. 5.2. DOT.COMM Representations and Warranties. DOT.COMM represents and warrants that it will use the tangible items specified as deliverables or work product in the Proposal which are provided to DOT.COMM ("Deliverables") only for its own internal use and as communicated by CONTINUUM. DOT.COMM shall make no representations to any other person or entity regarding the services or Deliverables, and will hold CONTINUUM harmless from any claims based upon such representations, as well as any costs or expenses arising therefrom (including, but not limited to, attorneys' fees and expenses). 6. Ownership and Intellectual Property: 6.1. CONTINUUM Technology. CONTINUUM has created, acquired or otherwise has rights in, and may, in connection with the performance of services hereunder, employ, provide, modify, create, acquire or otherwise obtain rights in, various concepts, ideas, methods, methodologies, procedures, processes, know-how, and techniques (including, without limitation, function, process, system and data models); templates; generalized features of the structure, sequence and organization of software, user interfaces and screen designs; general purpose consulting and software tools, utilities and routines; and logic, coherence and methods of operation of systems (collectively, the"CONTINUUM Technology"). 6.2. Ownership of CONTINUUM Property: 6.2.1. To the extent that CONTINUUM utilizes any of its property (including, without limitation, the CONTINUUM Technology or any hardware or software of CONTINUUM) in connection with the performance of services hereunder, such property shall remain the property of CONTINUUM and, except for the license expressly granted in Section 6.3, DOT.COMM shall acquire no right or interest in such property. 6.2.2. Notwithstanding anything herein to the contrary, the parties acknowledge and agree that (a) CONTINUUM shall own all right, title, and interest, including, without limitation, all rights under all copyright, patent and other intellectual property laws, in and to the any of the Deliverables and the CONTINUUM Technology; and, (b) CONTINUUM may employ, modify, disclose, and otherwise exploit the Deliverables or CONTINUUM Technology (including, without limitation, providing services or creating programming or materials for other DOT.COMM). CONTINUUM does not agree to any terms that may be construed as precluding or limiting in any way its right to (a) provide consulting or other services of any kind or nature whatsoever to any person or entity as CONTINUUM in its sole discretion deems appropriate; or, (b) develop for itself, or for others, materials that are competitive with those produced as a result of the services provided hereunder, irrespective of their similarity to any Deliverable. 6.2.3. Notwithstanding anything to the contrary, CONTINUUM shall protect any DOT.COMM Confidential Information as set forth in Section 7 which may be embedded in the Deliverables. 6.3. License to Deliverables. Upon full and final payment to CONTINUUM hereunder, DOT.COMM shall receive a royalty-free, fully paid-up, worldwide, non-exclusive license to use any of the Deliverables. DOT.COMM agrees that this is not a work-made-for-hire agreement and that CONTINUUM shall retain sole ownership of all Deliverables. DOT.COMM further agrees not to re-sell, license or otherwise provide any Deliverable to any third party. 7. Confidentiality: 7.1. Confidential Information. Each party may provide to the other, and each party may come into possession of information relating to the other party's business which is considered confidential (the "Confidential Information"). Confidential Information shall include, without limitation, all CONTINUUM Technology, all Deliverables, all information marked confidential, all trade secrets of the parties (as defined under the applicable state trade secret law), and all information relating to each party's business plans and operations, products, costs, marketing statistics, all DOT.COMM information, statistics, reports, data, lists, security assessments and analysis, future plans, business affairs, process information, technical information, finances, marketing plans and pricing strategy. Notwithstanding the foregoing, the term Confidential Information shall not include information that (a) is publicly known at the time of its disclosure, (b) is lawfully received by the receiving party from a third party not under an obligation of confidentiality to the disclosing party, (c) is published or otherwise made known to the public by the disclosing party, or (d) was generated independently by the receiving party before disclosure by the disclosing party. 7.2. Restrictions. Neither party shall disclose any of the other party's Confidential Information to any person, or permit any person to use, examine or reproduce Confidential Information without the prior written consent of the other party, unless such Confidential Information has become public knowledge through means other than breach of this Agreement or unless disclosure is required by a valid subpoena, court order or applicable law. Each party shall exercise at least the same degree of care to protect the confidentiality of the other party's Confidential Information which it exercises to protect the confidentiality of its own similar confidential information, but in no event less than reasonable care. As long as a party meets this standard of care, that party shall have no additional obligations or liability regarding confidentiality. 7.3. Limited Rights of Disclosure. Anything to the contrary notwithstanding, CONTINUUM may, without the prior specific written authorization of DOT.COMM, (a) disclose and make available DOT.COMM Confidential Information, on a confidential and restricted basis, to its employees and independent contractors who have a reasonable need to know or have access to such information and materials in connection with the services, and (b) use DOT.COMM Confidential Information for any proper purpose related to the services. 7.4. Notice of Breach. Each party will immediately notify the other party of any theft or unauthorized disclosure, reproduction or use of any Confidential Information, or any part of such information, of which such party has knowledge. The notice shall include the name, title and business address of any person, whether or not employed by the notifying party whom such party reasonably believes has unauthorized possession of or made unauthorized disclosure, reproduction or use of Confidential Information and a detailed description of the Confidential Information at issue and the factual circumstances surrounding the unauthorized disclosure, theft or loss. 7.5. Injunctive Relief. Each party acknowledges that any violation of the provisions of this Section 7, may result in irreparable harm to the other party and that such other party may have no adequate remedy at law. The parties agree that in addition to a right to terminate this Agreement upon a breach of confidentiality, each party shall have the right to seek equitable relief by the way of injunction to restrain such violation and to such further relief it may be entitled at law or in equity. 8. Fees and Payment Terms: 8.1. Fees. Fees and payment terms for the services are outlined in the Proposal. Unless otherwise provided in the Proposal, fees may be modified by CONTINUUM upon thirty (30) days written notice to DOT.COMM. 8.2. Payment Terms. Invoices upon which payment is not received within thirty (30) days of the invoice date shall accrue a late charge of the lesser of (a) 1.5% percent each month or (b) the highest rate allowable by law, in each case compounded monthly to the extent allowable by law. CONTINUUM has no obligation to perform services in the event invoices remain unpaid. 9. Cancellation: This Agreement may be terminated upon the written mutual agreement of both parties. 10. Cooperation: DOT.COMM shall cooperate with CONTINUUM in the performance by CONTINUUM of its services hereunder, including, without limitation, providing CONTINUUM with reasonable facilities and timely access to data, information and personnel of the DOT.COMM. DOT.COMM shall be responsible for the performance of its personnel and agents and for the accuracy and completeness of all data and information provided to CONTINUUM for purposes of the performance by CONTINUUM of its services hereunder. 11. No Third Party Beneficiary: This Agreement is for the sole and exclusive benefit of the parties hereto, and their respective successors and permitted assigns. The parties do not intend to create any third party beneficiaries or other incidental beneficiaries and nothing herein, express or implied, is intended to or shall confer upon any other person any legal or equitable right, benefit or remedy of any nature whatsoever under or by reason of this Agreement. 12. Force Maieure: Neither party shall be liable for any delays or non-performance resulting from circumstances or causes beyond its reasonable control that could not have been avoided despite its use of commercially reasonable efforts to prevent undue delay, including, without limitation, acts or omissions or the failure to cooperate by the other party, acts or omissions or the failure to cooperate by any third party, fire or other casualty, act of God, strike or labor dispute, war or other civil unrest, or any law, order or requirement of any governmental agency or authority. 13. Entire Agreement, Amendment and Notices: This Agreement is the entire agreement between CONTINUUM and DOT.COMM with respect to this engagement. It supersedes all other oral and written representations, understandings or agreements relating to this engagement, and may not be amended except by written agreement signed by the parties. In the event of any conflict between the Standard Terms and Conditions and the Proposal, the Standard Terms and Conditions shall govern and control, unless expressly and unambiguously agreed to by the parties in the Proposal, and only to the extent that it specifically references the portion(s) of the Standard Terms and Conditions it means to supersede. All notices hereunder shall be (a) in writing, (b) delivered to the representatives of the parties at the addresses first set forth in the Agreement, unless changed by either party by notice to the other party, and (c) effective upon receipt. 14. Governing Law and Severability: This Agreement shall be governed by the laws of the State of Nebraska (without regard to conflict of law principles of that State or any other state). The parties agree that any cause of action or litigation involving the alleged breach or enforcement of this Agreement or any claim arising hereunder shall be filed exclusively in federal or state court in Douglas County, Nebraska, and DOT.COMM hereby irrevocably consents to the jurisdiction of any federal or state court in Douglas County, Nebraska. If any provision of this Agreement is found by a court of competent jurisdiction to be unenforceable, such provision shall not affect the other provisions, but such unenforceable provision shall be deemed modified to the extent necessary to render it enforceable, preserving to the fullest extent permissible the intent of the parties set forth herein. 15. Trademarks, Trade Names, etc.: Neither party shall use or reproduce, by any means, any logo, trademark, service mark, copyrighted material or name of the other party or its affiliates, in any advertising, publicity releases, company lists or otherwise, without the prior written consent of such party. 16. Independent Contractor: Each of the parties hereto is an independent contractor and neither party is, nor shall be considered to be, an agent, distributor, partner, fiduciary or representative of the other. Neither party shall act or represent itself, directly or by implication, in any such capacity in respect of the other or in any manner assume or create any obligation on behalf of, or in the name of, the other. 17. Insurance: CONTINUUM agrees to carry commercial general liability and property damage insurance with combined bodily injury and property damage limits of at least $1,000,000 for each occurrence and $2,000,000 aggregate. CONTINUUM also agrees, upon request, to forward a certificate of insurance verifying said coverage within thirty (30) days of the execution of this Agreement. 18. Assignment: DOT.COMM shall not assign its rights under this Agreement to any third party without the prior written consent of CONTINUUM. CONTINUUM may assign this Agreement or engage third party independent contractors to assist in providing services hereunder without the consent of DOT.COMM. 19. No-Hire: Neither party shall, without the prior written consent of the other party, hire as an employee, sole proprietor or independent contractor, any employee of the other party who participated directly in that party's performance under this Agreement, prior to the expiration of: (a) one (1) year from the last date of employment by the other party, or(b) one (1) year from the completion of that employee's performance under this Agreement, whichever occurs earlier. If the other party's permission is required by this Section, then the hiring party must inform the other party at least seven (7) business days prior to offering the position to the other party's employee of the hiring party's intention to make the offer. Notwithstanding the foregoing, (a) the hiring party shall not be required to obtain the other party's permission to hire any former employee who left the employ of the other party without personal solicitation of the departing employee by the hiring party; and (b) DOT.COMM shall not be required to obtain CONTINUUM's permission to contract with another consulting or contracting firm which intends to place CONTINUUM's former employee on a DOT.COMM project. 20. Statute of Limitations: No action (including arbitration), regardless of form, arising out of transactions under this Agreement, shall be brought by either party more than one (1) year after the cause of action has accrued. This limitation shall not apply to any action brought by CONTINUUM for collection of any amounts owed by DOT.COMM to CONTINUUM under this Agreement. 21. Changes: Any changes to this Agreement will be made in writing and subject to mutual agreement as to content and equitable adjustment to contract price, if applicable. 22. Pricing Quotes: Quotes are valid for 15 days after date of issuance, unless otherwise noted. 2.5. If DOT.COMM issues a purchase order (hereinafter a "Non-Conforming Document") to Continuum Security Solutions the only terms and conditions of such Non-Conforming Document that are valid, are the names of products and/or services provided (i.e., unit, quantity, unit price, extended price, order date, and delivery date). Notwithstanding the foregoing, all other pre-printed or added terms and conditions of such Non-Conforming Document or like forms used by DOT.COMM to implement this SOW, which are intended to vary the terms of this SOW herein, are void with respect to the SOW, even if acknowledged in writing by Continuum Security Solutions. 2.6. DOT.COMM to send all payments to the following billing and payment address: Continuum Security Solutions Attn: Accounts Receivable 3333 Farnam Street, Suite 1 Omaha, NE 68131 USA 3. Execution In Witness Whereof, the parties have caused this SOW to be executed, and do each hereby warrant and represent, that their respective signatory whose signature appears below, has been, and is, on the date of this SOW, duly authorized by all necessary and appropriate corporate action, to execute this SOW. By signing below, you authorize Continuum Security Solutions to proceed with the Services as outlined in this SOW. Proposed by: Agreed Upon and Accepted by: Continuum Security Solutions DOT.COMM Signature: Printed Name: Title: Date: :y NON-DISCLOSURE AGREEMENT THIS NON-DISCLOSURE AGREEMENT (this "Agreement") effective the February 19th, 2013 is entered into between Continuum Worldwide Corporation DBA Continuum Security Solutions ("Continuum") located at 3333 Farnam St, Suite 1, Omaha, NE 68131 and DOT.COMM, located at 401 S. 18th St. Omaha NE, 68102 PRELIMINARY STATEMENT Continuum and CORPORATION (the "Parties") may have discussions relating to potential business opportunities between the Parties. Discussion of these potential business opportunities will necessitate disclosure of certain financial and other confidential information by the Parties. The Parties desire to restrict the use of the confidential information disclosed in the Parties' discussions to use in evaluation of the business opportunities. NOW THEREFORE, the Parties agree as follows. Definition of Confidential Information. As used herein, "Confidential Information" will mean any and all technical and non-technical information provided by a Party (the "Disclosing Party") to the other Party (the "Recipient"), which may include without limitation information regarding: (a) patent and patent applications, (b) trade secrets, and (c) proprietary and confidential information, techniques, sketches, drawings, works of authorship, models, inventions, know- how, processes, apparatuses, equipment, algorithms, software programs, software source documents, and formulae related to the current, future, and proposed products and services of the Disclosing Party, including without limitation the Disclosing Party's information concerning research, experimental work, development, design details and specifications, engineering, financial information, procurement requirements, purchasing, manufacturing, customer lists, investors, employees, business and contractual relationships, business forecasts, sales and merchandising, marketing plans and information the Disclosing Party provides regarding third parties. Disclosure/Use of Confidential Information. Subject to Section 3, the Recipient agrees that at all times and notwithstanding any termination or expiration of this Agreement, it will hold in strict confidence and not disclose to any third party any Confidential Information, except as approved in writing by the Disclosing Party, and will use the Confidential Information for no purpose other than as provided in this Agreement. The Recipient will limit access to the Confidential Information to only those of its employees or authorized representatives having a need to know and who have signed confidentiality agreements containing, or are otherwise bound by, confidentiality obligations at least as restrictive as those contained herein. The Parties recognize and agree that nothing contained in this Agreement will be construed as granting any property rights, by license or otherwise, to any Confidential Information disclosed under this Agreement, or to any invention or any patent, copyright, trademark, or other intellectual property right that has issued or that may issue, based on such Confidential Information. The Parties will not make, have made, use or sell for any purpose any product or other item using, incorporating or derived from any Confidential Information. Exceptions. The Recipient will have no obligations under this Agreement with respect to a specific portion of the Confidential Information if the Recipient can demonstrate with competent evidence that such Confidential Information: Was in the public domain at the time it was disclosed to the Recipient or entered the public domain subsequent to the time it was disclosed to the Recipient, through no fault of the Recipient; Was in the Recipient's possession free of any obligation of confidence at the time it was disclosed to the Recipient; Wan be shown by the Recipient to have been independently developed by it or its subsidiaries, affiliates or independent contractors without the use of Confidential Information; or Was rightfully communicated to the Recipient free of any obligation of confidence subsequent to the time it was disclosed to the Recipient. Notwithstanding the above, the Recipient may disclose certain Confidential Information, without violating the obligations of this Agreement, to the extent such disclosure is required by a valid order of a court or other governmental body having jurisdiction, provided that the Recipient provides the Disclosing Party with reasonable prior written notice of such disclosure and makes a reasonable effort to obtain, or to assist the Disclosing Party in obtaining, a protective order preventing or limiting the disclosure and/or requiring that the Confidential Information so disclosed be used only for the purposes for which the law or regulation required, or for which the order was issued. Loss of Confidential Information. The Recipient will immediately notify the Disclosing Party in the event of any loss or unauthorized disclosure of any Confidential Information. Return of Confidential Information. Upon termination or expiration of this Agreement, or upon written request of the Disclosing Party, the Recipient will promptly return to the Disclosing Party all documents and other tangible materials representing any Confidential Information and all copies thereof. Further Restrictions. Confidential Information will not be reproduced in any form except as required to accomplish the intent of this Agreement. Any reproduction of any Confidential Information will remain the property of the Disclosing Party and will contain any and all confidential or proprietary notices or legends that appear on the original, unless otherwise authorized in writing by the Disclosing Party. Termination. This Agreement will terminate two (2) years after the Effective Date. The Parties obligations under this Agreement will survive termination of this Agreement and will be binding upon the Recipient's heirs, successors, and assigns. Governing Law. This Agreement will be governed by and construed in accordance with the laws of Nebraska, without giving effect to conflict of laws principles of that State or any other state. Any disputes under this Agreement may be brought in the state courts and the Federal courts located in Douglas County, Nebraska, and the parties hereby consent to the personal jurisdiction and exclusive venue of these courts. This Agreement may not be amended except by a writing signed by both parties. Acknowledgment of Confidential Nature of Confidential Information. The Parties acknowledge the Confidential Information is confidential and proprietary to the disclosing party and disclosure of the Confidential Information could be seriously harmful to the business prospects of the Disclosing Party. Both Parties acknowledge that the Disclosing Party may not have adequate remedies at law for a breach by Recipient of its obligations under this Agreement and money damages suffered by the Disclosing Party as a result of any such breach may be difficult or impossible to determine. Accordingly, Recipient agrees that Disclosing Party, without the requirement of posting any bond or other security, in addition to all other remedies available at law, shall be entitled to seek and obtain equitable relief, including injunctive relief, in the event of any such breach. The successful party in enforcing any obligations hereunder shall be reimbursed by the unsuccessful party for all its costs and expenses, including reasonable attorneys' fees related to such enforcement. Indemnification. The Recipient shall defend, hold harmless and indemnify the Disclosing Party from any claims, damages, liabilities, losses and expenses, including costs of investigation, court costs and attorneys' fees, arising out of allegations of a third party (including, but not limited to, allegations by a governmental agency) that the Disclosing Party breached a duty of confidentiality owed to that third party, if such breach of confidentiality was caused by the actions of the Recipient or its employees, agents or contractors. Approval to Export. The Parties will not export, directly or indirectly, any technical data acquired under this Agreement or any product utilizing any such data to any country for which the U.S. Government or an agency thereof at the time of export requires an export license or other governmental approval, without first obtaining such license or approval. Severability. If any provision of this Agreement shall be held invalid or unenforceable by any court of competent jurisdiction, such holding shall not invalidate or render unenforceable any other provision hereof and this Agreement shall be construed as restricting, limiting or eliminating the particular provision held to be invalid or unenforceable so as to render the entire Agreement valid and enforceable to the fullest extent possible. Notices. All notices or reports permitted or required under this Agreement will be in writing and will be delivered by personal delivery, electronic mail, facsimile transmission or by overnight, certified or registered mail, return receipt requested, and will be deemed given upon personal delivery, five (5) days after deposit in the mail, or upon acknowledgment of receipt of electronic transmission. Notices will be sent to the addresses set forth at the end of this Agreement or such other address as either party may specify in writing. IN WITNESS WHEREOF, the Parties hereto or their duly authorized representatives have executed this Agreement. Continuum Worldwide Corporation DOT.COMM DBA Continuum Security Solutions By: Bret Brasfield By: Title: Business Developer Title: Date: 3/05/13 Date: T; JUSTIFICATION FOR NON-COMPETITIVE PROCUREMENT (SOLE SOURCE JUSTIFICATION) PARAGRAPH 1: A brief description of the program and what is being contracted. We are working on a program to increase the cyber security education for Sarpy and Douglas County as part of the 2010 UASI Cyber Security Grant. We looked for one of our trusted vendors who could review our existing cyber security policy and create user education training videos custom made for Douglas County and Sarpy County,Nebraska. This custom training to address the cyber security needs of local government and model them after our policies specifically. PARAGRAPH 2: Explanation of why a non-competitive contract is necessary, to include the following: • Expertise of the contractor. • Management. • Responsiveness. • Knowledge of the program. • Experience of personnel. Continuum, the vendor that was selected was familiar with the environment at both Sarpy and Douglas counties. They are trusted and we knew they could get the work done in a timely fashion. They are very flexible and offered both the policy review with custom video work. Continuum, which is a Mutual of Omaha company is a proven provider of custom IT security services including: training, vulnerability scanning, incident response, and other security tasks. Their staff is very intelligent and has provided excellent insight on previous engagements, we knew they would provide a solid service. PARAGRAPH 3: Time Contracts • When contractual coverage is required and why. • Impact on program if dates are not met. • How long would it take another contractor to reach the same level of competence? (Equate to dollars if desired) PARAGRAPH 4: Uniqueness Other quality and trusted vendors we looked at, FishNet, Forsythe, and SANS had on-line cyber security training modules, but were very canned. Some could do the modifications to the curriculum, but it was not an easy or cheap task to perform. Continuum has done the custom training modules for other companies and even started the conversation of how a custom module for our environment would be the best. They stated that they would even have custom video (vignettes) created to better train the visual learners. Page 1 of 2 As the only vendor we talked to out the group that had this custom approach, they were indeed unique. PARAGRAPH 5: Other points that should be covered to make a convincing case. PARAGRAPH 6: A declaration that this action is in the best interest of the agency. By going with Continuum, we are selecting a trusted and secure vendor who is responsive, creative, and accurate. This vendor is the best choice for the task at hand for both Sarpy County and Douglas County. Reference: U.S. Department of Justice Office of Justice Programs Financial Guide 2005 http://www.ojp.usdoj.gov/FinGuide/ Chapter 10 — Procurement Under Awards of Federal Assistance, #3 Page 2 of 2 C-25A CITY OF OMAHA LEGISLATIVE CHAMBER Omaha,Nebraska RESOLVED BY THE CITY COUNCIL OF THE CITY OF OMAHA: WHEREAS, Continuum Security Solutions submitted a proposal in the amount of thirty five thousand two hundred dollars ($35,200.00) for professional services required for the establishment of the Douglas-Omaha Technology Commission (DotComm) Cyber Security End User Awareness Training Program which will be an be administered and overseen by DotComm; and, WHEREAS, Continuum Security Solutions is the sole source vendor for this product as provided in Chapter 5.16 of the Home Rule Charter; and, WHEREAS, the Cyber Security End User Awareness Program training will be an important step toward a more secure City/County information network; and, WHEREAS, $35,200.00 of the purchase is budgeted from and will be funded by the Nebraska Emergency Management Agency (NEMA) FY 2010 Urban Area Security Initiative, Award# 2010-SS-T8-0013, Fund 12151, Organization 130762; and, WHEREAS, the Mayor recommends your favorable consideration of this Resolution. NOW THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF OMAHA: THAT, as recommended by the Mayor, the purchase from Continuum Security Solutions, a sole source vendor provided in Chapter 5.16 of the Home Rule Charter in the amount of thirty five thousand two hundred dollars ($35,200.00) for the DotComm Cyber Security End User Awareness Training Program that will be an important step toward a more secure City/County information network, is hereby approved. FURTHER THAT, the Finance Department of the City of Omaha is authorized to pay Continuum Security Solutions in the amount of$35,200.00 for the procurement of professional services related to the DotComm Cyber Security End User Awareness Training Program, budgeted from and funded by the Nebraska Emergency Management Agency (NEMA) FY 2010 Urban Area Security Initiative, Award# 2010-SS-T8-0013, Fund 12151, Organization 130762. APPROVED AS TO FORM: By APAtiatig. Councilmember SSISTANT CITY ATTORNEY DATE Adopted AUG 1 3 20.13 7- 4,444 ,.,/� P:\MYR\0060PR 1 Cit Clerk g/(3//3 Approve UCfI-� �`J Mayor :i/6r" NO. // Resolution by Res.that,as recommended by the Mayor,the purchase from Continuum Security Solutions, a sole source vendor provided in Chapter 5.16 of the Home Rule Charter in the amount of thirty five thousand two hundred dollars ($35,200.00) for the DotComm Cyber Security End User Awareness Training Program that will be an important step toward a more secure City/County information network, is hereby approved. Further that,the Finance Department of the City of Omaha is authorized to pay Continuum Security Solutions in the amount of$35,200.00 for the procurement of professional services related to the DotComm Cyber Security End User Awareness Training Program,budgeted from and funded by the Nebraska Emergency Management Agency(NEMA)FY 2010 Urban Area Security Initiative,Award#2010-SS-T8- 0013, Fund 12151, Organization 130762. P:\MYR\0060PR Presented to City Council AUG 1 3 2013 Adopted gaiter grown City Clerk